Adobe 38043740 Lockdown Guide

Adobe 38043740 - ColdFusion Standard - Mac Manual

Get Adobe 38043740 - ColdFusion Standard - Mac PDF manuals and user guides
UPC - 883919135168
View all Adobe 38043740 manuals
Add to My Manuals
Save this manual to your list of manuals

Adobe 38043740 manual content summary:

  • Adobe 38043740 | Lockdown Guide - Page 1
    6: ColdFusion Server Services 57 Section 7: Patch Management Procedures 83 Appendix A: Sources of Information 84 Appendix B: List of Acronyms 85 Acronym 85 Meaning 85 Adobe® ColdFusion® 10 Server Lockdown Guide Section 1: Introduction The ColdFusion 10 Server Lockdown Guide is written to
  • Adobe 38043740 | Lockdown Guide - Page 2
    1.3 ColdFusion Version This guide was written for ColdFusion 10.0 Enterprise Edition. 1.4 Scope of Document This document does not detail security settings for the Operating System, the Web Server, or Network Firewalls. It is focused
  • Adobe 38043740 | Lockdown Guide - Page 3
    your Firewall to block all non-administrative traffic to the server during installation. Download ColdFusion 10 from Adobe.com Verify that the MD5 checksum of the downloaded file matches the MD5 specified on the Adobe.com download page. On Mac OSX: To obtain the MD5 checksum of a file on Mac
  • Adobe 38043740 | Lockdown Guide - Page 4
    to allow for fine grained access control. Setup a dedicated website for CF administrator 2.2.1 Create Dedicated User Accounts Create a new User for the ColdFusion Service to Run As, in the screenshot below we call this user cfusion, choose a unique username that may not be easily guessed. Create
  • Adobe 38043740 | Lockdown Guide - Page 5
    5
  • Adobe 38043740 | Lockdown Guide - Page 6
    Next create a new user for the IIS Application Pool: For both users right click and select Properties. In the Remote Desktop Services Profile tab check the box that says Deny this user permission to log on to Remote Desktop Session Host server. If you are setting up
  • Adobe 38043740 | Lockdown Guide - Page 7
    2.2.2 Create Web Root Directory Created a separate partition for the CFML source and web site assets, for the examples in this guide it is mapped to drive f:\. Create a directory to contain the web sites for example f:\web\ and then create a sub directory to house each web site. 2.2.3
  • Adobe 38043740 | Lockdown Guide - Page 8
    In the Advanced Security Settings Dialog click the Edit Button: Uncheck the checkbox labeled Include inheritable permissions from this object's parent. A confirmation box will appear, select remove: 8
  • Adobe 38043740 | Lockdown Guide - Page 9
    Table 2.2.3.1 Web Root Content Security Permissions User / Group Permissions Administrators (or equivalent users and groups) Full Control iisservice (Your Application Pool Identity User) • List folder / read data • Read attributes • Read extended attributes • Read permissions IUSR (the
  • Adobe 38043740 | Lockdown Guide - Page 10
    User / Group cfusion (Your ColdFusion Service Identity) Permissions • List folder / read data • Read attributes • Read extended attributes • Read permissions (Add additional write/ A good minimal policy would be to audit all Fails, and certain Success events (Delete, Change Permissions, etc). 10
  • Adobe 38043740 | Lockdown Guide - Page 11
    2.2.4 Add / Remove IIS Server Roles On a clean Windows 2008 install IIS may need to be installed. This is done by opening the Server Manager and selecting Roles: 11
  • Adobe 38043740 | Lockdown Guide - Page 12
    Next Click Add Roles, and select the checkbox next to Web Server (IIS): 12
  • Adobe 38043740 | Lockdown Guide - Page 13
    The IIS role includes a number of optional sub-components called "Role Services". ColdFusion requires that the ASP.NET, CGI, ISAPI Extensions and ISAPI Filters Role Services are selected. After we have configured the ColdFusion 10 IIS connection we can actually remove the ASP.NET and CGI Role
  • Adobe 38043740 | Lockdown Guide - Page 14
    Review the list of Role Services and remove any that may not be necessary (for example Directory Browsing). You may find other Role Services to be useful or necessary, such as Logging Tools, HTTP Redirection, Request Filtering, and IP and Domain Restrictions. 14
  • Adobe 38043740 | Lockdown Guide - Page 15
    2.2.5 Delete Default IIS Web Site A web site is installed with IIS called Default Web Site, right click and select Remove. 2.2.6 IIS Application Pool Settings Click on Application Pools in IIS Manager and then click Set Application Pool Defaults in the Actions menu. This allows you to change the
  • Adobe 38043740 | Lockdown Guide - Page 16
    Under Process Model change the Identity to be the IIS user you created (for example iisservice). You will be prompted for the password of this user: 16
  • Adobe 38043740 | Lockdown Guide - Page 17
    of the Users group which may allow for additional unnecessary access to files. 2.2.8 Setup Request Filtering Make sure that you have the Request Filtering Role Service for IIS installed. Under the IIS root (applicable for all web sites) click on Request Filtering. Select the URL tab and click Deny
  • Adobe 38043740 | Lockdown Guide - Page 18
    web site for ColdFusion administrator access. /CFIDE/adminapi Admin API /CFIDE/AIR AIR Sync API Usually, if the admin api is called from internal method to protect this uri (eg IP restriction) Usually, unless AIR sync API is used. /CFIDE/appdeployment /CFIDE/classes /CFIDE/componentutils
  • Adobe 38043740 | Lockdown Guide - Page 19
    /CFIDE/multiservermonitoraccess-policy.xml Used to set a policy for allowing viewing the server monitor from multiple domains. Yes - the server monitor now runs on its own web server on port 5500. /CFIDE/orm Contains interfaces used with Yes ORM. These interfaces do not need to be accessible
  • Adobe 38043740 | Lockdown Guide - Page 20
    /CFIDE/websocket /CFIDE/wizards /CFIDE/GraphData /CFIDE/main Contains the AIR application Yes binary for the Server Manager. Contains CFCs that can act Yes as a service layer to Flex, or other client side applications. The client application must have a username / password and also an allowed
  • Adobe 38043740 | Lockdown Guide - Page 21
    Our strategy here is to block all URI's that do not need to be accessible to the public. Some of the resources we will block here may not pose any known threat but could be used to determine the version of ColdFusion you are running. Ideally we could block all /CFIDE, however if you use cfchart the
  • Adobe 38043740 | Lockdown Guide - Page 22
    you can block it at the web server level as well. Used for Only if Flash Forms are not used. Flex Remoting Only if Flex Remoting is not used. Used for Only if Flash Forms are not used. Flex Remoting Only if Flex Remoting is not used. 22
  • Adobe 38043740 | Lockdown Guide - Page 23
    ) tags Only if cfreport, cfpresentations and cfimage are not used. /rest /WSRPProducer .svn Used for CF10 Rest web services support. Only if CF10 REST web services are not used. Web Services Endpoint for WSRP. Usually, unless WSRP is used. If you use subversion to deploy Yes your ColdFusion
  • Adobe 38043740 | Lockdown Guide - Page 24
    Next click on Sites and Add Web Site to create a new website for ColdFusion Administrator, point the web root or content directory to the directory you just created. Bind the new site to 127.0.0.1 (or another IP address only accessible to system administrators). Select HTTPS for the protocol, and
  • Adobe 38043740 | Lockdown Guide - Page 25
    Select Require SSL and Require 128-bit SSL and click Apply. Visit https://127.0.0.1/ and ensure that it requires SSL and authentication. Remove Request Filtering Rule for ColdFusion Administrator Site Because we have specified that the URI /CFIDE/administrator is blocked on a global level using IIS
  • Adobe 38043740 | Lockdown Guide - Page 26
    26
  • Adobe 38043740 | Lockdown Guide - Page 27
    the ColdFusion installer on Linux 2.3.1 - Before you Install RedHat Enterprise Linux Read through the NSA Guide to Secure Configuration of Red Hat Enterprise Linux 5 (A.3) - at the time of this writing a Guide specific to RHEL Version 6 was not yet published, check with the NSA operating system
  • Adobe 38043740 | Lockdown Guide - Page 28
    the Apache Web Server. 2.3.5 Create users and groups for ColdFusion and Apache Create a new group to contain both Apache and ColdFusion, in this guide we use the name webservices feel free to choose a unique name. # groupadd webservices The Apache web server runs as user apache by default on
  • Adobe 38043740 | Lockdown Guide - Page 29
    Create a user for ColdFusion to run as, in this guide we use cfusion, but again feel free to choose a unique name: # adduser -g webservices -s /sbin/nologin -M -c ColdFusion cfusion Specify a strong password for the new user: # passwd
  • Adobe 38043740 | Lockdown Guide - Page 30
    Deny from all Allow from 127.0.0.1 The above blocks all requests starting with /CFIDE for all IP's except 127.0.0.1. You may want to change that to the IP address of an administration workstation instead, to allow yourself access to the ColdFusion Administrator.
  • Adobe 38043740 | Lockdown Guide - Page 31
    SSLRequireSSL The above requires that mod_ssl and openssl are installed and configured. Finally lets require authentication for the /CFIDE/administrator URI, this will allow you to audit which administrators have made changes to the administrator settings.
  • Adobe 38043740 | Lockdown Guide - Page 32
    to set the SELinux context of the files, see Linux Post Installation section or Appendix A.10. Section 3 - Installing ColdFusion 3.1 Run ColdFusion Installer Run the ColdFusion 10 Installer. This guide covers the standard Server configuration option and does not cover installation as a WAR or EAR
  • Adobe 38043740 | Lockdown Guide - Page 33
    33
  • Adobe 38043740 | Lockdown Guide - Page 34
    Do not install ColdFusion 10 ODBC Services, ColdFusion 10 Admin component for Remote Start/Stop or Documentation. Select only the subcomponents that are required for your application. 34
  • Adobe 38043740 | Lockdown Guide - Page 35
    specify IP address which may access ColdFusion Administrator. The Secure Profile option is new in ColdFusion 10 and provides a more secure foundation of default settings. You can review the settings it toggles here: http://www.shilpikhariwal.com/2012/04/coldfusion-10-presents-secureprofile.html 35
  • Adobe 38043740 | Lockdown Guide - Page 36
    Select an install directory, a non-standard directory location on a non-system partition is preferred. 36
  • Adobe 38043740 | Lockdown Guide - Page 37
    web server connector tool (wsconfig.exe) again to connect ColdFusion 10 to the web site. If you are installing on Linux with SELinux enabled, hold off on installing the apache connector, this is done manually later on in this guide. For maximum security consider running the web server and ColdFusion
  • Adobe 38043740 | Lockdown Guide - Page 38
    38
  • Adobe 38043740 | Lockdown Guide - Page 39
    Choose a strong password and unique username for the ColdFusion administrator. Strong passwords should contain a random mix of case, numbers, special characters and at least 8 characters in length. 39
  • Adobe 38043740 | Lockdown Guide - Page 40
    You may consider checking the checkbox to allow ColdFusion to check for updates when you login to ColdFusion administrator - note that it will not install the updates, only check for new updates. 40
  • Adobe 38043740 | Lockdown Guide - Page 41
    any Hotfixes: See http://helpx.adobe.com/coldfusion/kb/coldfusion-10-mandatory-update.html Login to ColdFusion administrator and click on Server Updates > Updates and then select the latest hotfix, and click Download. Verify the integrity of the download by performing verifying the md5 checksum
  • Adobe 38043740 | Lockdown Guide - Page 42
    The IIS Application Pool user (iisservice in our examples) must also have permission access the Tomcat IIS connector. Grant this user permission to the \config\wsconfig\ directory in your ColdFusion installation directory. Folder Permission {coldfusion-home} Full Control {coldfusion-home} {
  • Adobe 38043740 | Lockdown Guide - Page 43
    runs as to be the user you created (cfusion in the guide example). The installation creates a service named ColdFusion 10 Application Server which runs the initial ColdFusion instance. Right click the service, click Properties and select the Log On tab to specify the username and password for
  • Adobe 38043740 | Lockdown Guide - Page 44
    installed any optional subcomponents (such as Solr or .NET) ensure that their services run as the ColdFusion user account as well. If you installed a subcomponent but are not using it yet, you can change the service Startup type to Disabled. 4.1.4 Remove /CFIDE and /cfdocs virtual directories added
  • Adobe 38043740 | Lockdown Guide - Page 45
    scripts: cfajaxproxy, cfcalendar, cfchart (HTML5), cfdiv, cfform, cfgrid, cflayout,cfmediaplayer,cfmenu cftextarea,cfpod, cfprogressbar, cfslider, cftooltip, cfwindow In this guide we choose a virtual directory mapping of /cf-scripts/ but you should choose a unique mapping name for your server. Once
  • Adobe 38043740 | Lockdown Guide - Page 46
    may not be the latest JVM supported by Adobe ColdFusion 10, or it may contain security issues. Download the JVM from java.oracle.com Yes, if your applications do not require JSP. Java Web Services - allows you to easily write and deploy SOAP web services in Java similar to a CFC. Yes if not used.
  • Adobe 38043740 | Lockdown Guide - Page 47
    shown in the previous section. Keep in mind that if you remove the mapping for a source file (such as .cfc) the source code may be downloaded when requested, if the extension has not been blocked using Request Filtering or some other method. 47
  • Adobe 38043740 | Lockdown Guide - Page 48
    for more post installation configuration. 4.1.10 Optionally Remove ASP.NET Once you have all websites configured in IIS, you may consider removing the IIS Role Services: ASP.NET, .NET Extensibility and this is not a procedure that is officially documented or supported by Adobe, they do not test 48
  • Adobe 38043740 | Lockdown Guide - Page 49
    an IIS connector you must re-enable these role services before updating the connector. 4.2 Red Hat Enterprise Linux Download. Verify the integrity of the download by performing an md5sum on the hotfix_XXX.jar file, see that it matches the value found in Adobe ColdFusion update feed: https://www.adobe
  • Adobe 38043740 | Lockdown Guide - Page 50
    You may consider using chmod -R 550 /web instead of 750 if write permission is not needed by ColdFusion on all files or directories. # chcon -R --reference=/var/www /web 4.2.3: Specify permissions for ColdFusion Directories chown -R cfusion:root /opt/coldfusion10/ chmod -R 750 /opt/coldfusion10/ You
  • Adobe 38043740 | Lockdown Guide - Page 51
    -bin /usr/sbin/httpd \ -script /etc/init.d/httpd At this point you will find that with SELinux enabled Apache will fail to start because the mod_jk (the Tomcat connector module for Apache) module does not have sufficient permissions, the error may look something like this: Starting httpd: httpd:
  • Adobe 38043740 | Lockdown Guide - Page 52
    Server Settings > Settings Page. 4.2.6 Update Java Virtual Machine The Java Virtual Machine included with the ColdFusion installer may not be the latest JVM supported by Adobe. Download the RPM for the JVM from java.oracle.com. After you run the binary the JVM is installed in /usr/java/ a symbolic
  • Adobe 38043740 | Lockdown Guide - Page 53
    # cp jvm.config jvm.config.backup To update using ColdFusion Administrator: click on Server Settings > Java and JVM and then add /usr/java/latest/ to the Java Virtual Machine Path text box. To update via shell: Edit jvm.config in a text editor to locate the line beginning with java.home= for example
  • Adobe 38043740 | Lockdown Guide - Page 54
    4.2.8 Add umask to startup script Edit the /etc/init.d/coldfusion10 startup script and add the line near the top but below the #description comment: umask 007 Consider setting a more restrictive umask on for the group permission. 4.3 Post Configuration Settings for Windows and Linux The following
  • Adobe 38043740 | Lockdown Guide - Page 55
    each ColdFusion instance created. 4.3.3 Apply any ColdFusion additional Security Patches Visit: http://www.adobe.com/support/security/ and read all pertinent ColdFusion Security Bulletins. Download and install any relevant security hotfixes not already installed. 4.3.4 Tomcat Shutdown Port Tomcat
  • Adobe 38043740 | Lockdown Guide - Page 56
    Please note: Changing the port setting may cause the shutdown of the ColdFusion Service on Windows to fail, you may need to kill the process manually to stop ColdFusion. The Linux shutdown script should still work properly when the port is changed. 4.3.5 Add a connector shared secret Specify a
  • Adobe 38043740 | Lockdown Guide - Page 57
    Section 5: ColdFusion Administrator Settings In this section several recommendations are made for ColdFusion server settings. It is important to understand that changes to some of these settings may affect how your website functions, and performs. Be sure to understand the implications of all
  • Adobe 38043740 | Lockdown Guide - Page 58
    Setting Default Disable access to Unchecked internal ColdFusion Java components Prefix serialized JSON with Unchecked: // Maximum Output Buffer size 1024KB Recommendation Description Checked The internal ColdFusion Java components may allow administrative duties to be performed. Some
  • Adobe 38043740 | Lockdown Guide - Page 59
    Setting Enable In-Memory File System Default Checked Watch configuration files for changes (check every N seconds) Unchecked Recommendation Description Unchecked if not used If your applications do not require in memory file system uncheck this checkbox. Ensure that you have sufficient heap
  • Adobe 38043740 | Lockdown Guide - Page 60
    Setting Enable Global Script Protection Default ScriptSrc Directory Default Unchecked /CFIDE/scripts/ Recommendation Description Understand limitations, Checked This setting provides very limited protection against certain Cross Site Scripting attack vectors. It is important to understand that
  • Adobe 38043740 | Lockdown Guide - Page 61
    Setting Missing Template Handler Default Recommendation Description Blank or /CFIDE/administra tor/templates/miss ing_template_erro r.cfm Specified The missing template handler HTML should be equivalent to the 404 error handler specified on your web server. The default missing template handler
  • Adobe 38043740 | Lockdown Guide - Page 62
    does not deal with large HTTP POST operations (such as file uploads, or large web service requests), reduce this size to 1MB. If the application does allow uploads of files set servers allow for much larger heap sizes. Aim for 10% of the maximum heap size as an upper limit for this setting. 62
  • Adobe 38043740 | Lockdown Guide - Page 63
    server. Setting Maximum number of simultaneous Template requests Default 25 Maximum number 5 of simultaneous Flash Remoting requests Maximum number 5 of simultaneous Web Service requests Recommendation Description Tuned based on hardware capabilities, and application characteristics. When this
  • Adobe 38043740 | Lockdown Guide - Page 64
    set to 1. Otherwise use load testing to find the optimal value for this setting. Maximum number 1 of simultaneous Report threads Maximum number 10 of threads available for CFTHREAD Timeout requests waiting in queue after 60 seconds 1 Keep this value at 1 unless you are using cfreport heavily
  • Adobe 38043740 | Lockdown Guide - Page 65
    5.3 Server Settings > Client Variables Setting Default Storage Mechanism for Client Sessions Default Cookie Recommendation Description None / Cookie If applications have client management enabled a large amount of data can accumulate on the server. This can lead to a storage failure if disks
  • Adobe 38043740 | Lockdown Guide - Page 66
    file. Checked Session cookies should always be marked as HTTPOnly to prevent JavaScript or other client side technologies from accessing their values (on supported clients). Checked if all sites A client will only transmit a secure require SSL. cookie over a secured connection (eg SSL). 66
  • Adobe 38043740 | Lockdown Guide - Page 67
    Consider enabling SSL or TLS encryption for sending mail with ColdFusion. Checked if supported Consider enabling SSL or TLS encryption for sending mail with ColdFusion. 5.6 Data & Services > Data Sources Setting Default Login 30 Seconds Timeout (sec) Recommendation Description 5 Seconds
  • Adobe 38043740 | Lockdown Guide - Page 68
    user that ColdFusion connects as, also has limited permissions to only what is necessary. 5.7 Data & Services > Flex Integration Setting Default Enable Flash Remoting support Checked Enable RMI over SSL for Data Management Unchecked Recommendation Description Unchecked if not used. Disable
  • Adobe 38043740 | Lockdown Guide - Page 69
    5.8 Debugging & Logging > Debug Output Settings Setting Default Enable Robust Exception Information Unchecked Enable AJAX Debug Log Window Unchecked Enable Request Debugging Output Unchecked Recommendation Description Unchecked When robust exception information is enabled sensitive
  • Adobe 38043740 | Lockdown Guide - Page 70
    & Logging > Logging Settings Setting Default Log directory {cf-root}/logs Maximum 10 number of archives Recommendation Description Ensure that the location of this directory has sufficient storage space to hold Maximum File Size multiplied by the Maximum
  • Adobe 38043740 | Lockdown Guide - Page 71
    Description Unchecked, if not using Event Gateways If you do not use Event Gateways, disable the Event Gateway Service. 5.12 Security > Administrator Setting Default ColdFusion Administration Authentication Separate user name and password authentication Password Seed Recommendation
  • Adobe 38043740 | Lockdown Guide - Page 72
    5.13 Security > RDS Setting Enable RDS Default Unchecked Recommendation Description Unchecked RDS should not be enabled on production server. If RDS was previously enabled ensure that the /WEB-INF/web.xml does not contain a ServletMapping for the RDSServlet. 5.14 Security > Sandbox Security
  • Adobe 38043740 | Lockdown Guide - Page 73
    Default Recommendation Description None Any IP address in this list may execute remote services that expose server functionality via web services. To invoke these web services the client must be on the allowed IP list, and have a username and password. It is recommended that you do not use
  • Adobe 38043740 | Lockdown Guide - Page 74
    ://www.adobe. HTTPS version of com/go/coldfusion url - or specify an -updates internal URL Change the default URL to https to avoid a spoofed update. If your network security policy does not allow external internet connection you can maintain a internal update URL which could be updated manually
  • Adobe 38043740 | Lockdown Guide - Page 75
    for developers to take advantage of. Most applications do not make use of all these services, and can therefore be disabled to improve security. 6.1 Servlets and Servlet Mappings in web.xml All JEE web applications have a file in the WEB-INF
  • Adobe 38043740 | Lockdown Guide - Page 76
    .bootstrap.BootstrapServlet servlet.class coldfusion.rds.RdsFrontEndServlet 6.3 Disabling support for JWS files 76
  • Adobe 38043740 | Lockdown Guide - Page 77
    JWS Files are Java Web Services files most ColdFusion applications do not use them. To remove support, simply remove the servlet mapping:
  • Adobe 38043740 | Lockdown Guide - Page 78
    /gateway/* 6.6 Disabling Flash Form Servlet Mappings If you are not using Flash forms ()you can disable the servlet mappings used to serve flash forms. Remove flash form servlet mappings:
  • Adobe 38043740 | Lockdown Guide - Page 79
    Mapping The WSRP Servlets and Filters are used to support Web Services for Remote Portlets, a SOAP based API for serving portlets. If this feature is is used to serve dynamically generated assets. It is used to support the following tags cfreport, cfpresentation, and cfimage (with action=captcha
  • Adobe 38043740 | Lockdown Guide - Page 80
    /CFFileServlet/* 6.10 Disabling Remote CFC Invocation The CFCServlet is used to serve SOAP web service requests, remote CFC method invocation (eg file.cfc?method=doSomething), AIR synchronization, and flash remoting. If you do not require these features
  • Adobe 38043740 | Lockdown Guide - Page 81
    Note: it is important that you do not delete these mappings, as this will allow your CFC source code to be downloaded. 81
  • Adobe 38043740 | Lockdown Guide - Page 82
    6.11 Adding ClickJacking Protection ColdFusion 10 includes two new Servlet Filters CFClickJackFilterDeny and CFClickJackFilterSameOrigin. When a URL is mapped to one of these servlets the X-Frame-Options HTTP header will be returned
  • Adobe 38043740 | Lockdown Guide - Page 83
    ://www.adobe.com/support/security/ Microsoft Security Tech Center: http://technet.microsoft.com/en-us/security/default.aspx RedHat Security: http://www.redhat.com/security/updates/ Changelog for Apache 2.2 web server: http://www.apache.org/dist/httpd/CHANGES_2.2 To keep updated with ColdFusion 10
  • Adobe 38043740 | Lockdown Guide - Page 84
    downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e A.2 - NSA Operating System Security Guides gov/ia/_files/os/redhat/rhel5-guide-i731.pdf A.4 - ColdFusion and SELinux: http Remote ColdFusion vulnerability scanner: http://hackmycf.com/ A.10 - Fixing Apache (13) Permission Denied 403
  • Adobe 38043740 | Lockdown Guide - Page 85
    IIS DOS SSL HTTPS HTTP SSH NTFS ACL XML JSP JWS CFML Meaning Red Hat Enterprise Linux (Microsoft) Internet Information Server Denial of Service Secure Socket Layer - Protocol often used for https Hypertext Transfer Protocol Secure - Encryption layer for HTTP Hypertext Transfer Protocol Secure Shell
  • Adobe 38043740 | Lockdown Guide - Page 86
    RDS XSS CSRF CFC IP Remote Development Services Cross Site Scripting Cross Site Request Forgery. Also referred to as XSRF. ColdFusion Component Internet Protocol 86
  • Adobe 38043740 | Lockdown Guide - Page 87
    Written by Pete Freitag For more information Solution details: www.adobe.com/go/coldfusion Adobe, the Adobe logo, Adobe AIR, AIR, ColdFusion, Flash, JRun, and LiveCycle are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Mac OS is
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
Adobe ColdFusion 10
Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown
Guide
Section 1: Introduction
The
ColdFusion 10 Server Lockdown Guide
is written to help server administrators
secure their ColdFusion 10 installations. In this document you will find several tips
and suggestions intended to improve the security of your ColdFusion server. The
reader is strongly encouraged to test all recommendations on an isolated test
environment before deploying into production.
1.1 Default File Paths and Usernames
This guide will provide example file system paths for installation, you do not need to
use the same example installation paths provided in this guide.
1.2 Operating Systems and Web Servers
This guide focuses on Windows 2008 / IIS 7, and Redhat Enterprise Linux (RHEL)
6.3 / Apache 2.2. Many of the suggestions presented in this document can be
extrapolated to apply to similar Operating Systems and Web Servers.
Contents
Section 1: Introduction………………………………….1
Section 2: Installation Prerequisites……………………. 3
Section 3 - Installing ColdFusion………………………32
Section 4 - Post ColdFusion Installation……………….41
Section 5: ColdFusion Administrator Settings…………57
Section 6: ColdFusion Server Services………………..57
Section 7: Patch Management Procedures…………….83
Appendix A: Sources of Information…………………84
Appendix B: List of Acronyms……………………….85
Acronym……………………………………………85
Meaning…………………………………………….85